Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
2.0.0-M20
-
None
-
None
-
Patch
Description
Suppose the client supports two encryption suites:
default_tkt_enctypes = des-cbc-md5 des3-cbc-sha1-kd
Server also supports three encryption suites:
des-cbc-md5, des3-cbc-sha1-kd and aes128-cts-hmac-sha1-96
The client send as-req with list of supported ciphers. Server answers the client with three ciphers.
The client chooses des-cbc-md5 and sends as-req with encrypted timestamp.
The bug is here. The server can try to decrypt timestamp with wrong algo(des3-cbc-sha1-kd). This occurs because of function
getBestEncryptionType( Set<EncryptionType> requestedTypes, Set<EncryptionType> configuredTypes )
returns some encryption type that both client and server support. It not necessary the cipher that was used to encrypt the timestamp.
Attached patch does decryption of timestamp always with cipher it was encrypted(if the server is configured to support that cipher)